Wednesday, May 30, 2007

DEVELOPING AN INFORMATION SECURITY PROGRAM TO PROTECT YOUR ORGANIZATION

An information security program exists to protect the information of an enterprise.

An effective program contains appropriate policies, standards, and procedures that support its mission. There is a fine balance between protecting information and making it accessible, on the other hand, to the authorized users. It is necessary, therefore, to design an InfoSec program with the participation of all the stakeholders, namely, different levels of management, different departmental user groups, and the IT department.

The task of developing an effective InfoSec program is relatively easier since two major international organizations, the National Institute of Standards and Technology (NIST) and the International Organization of Standards (ISO), codified standards for information security.

The original NIST publication on the subject is entitled “An Introduction to Computer Security: The NIST Handbook.” The ISO codified the subject under ISO 17799, which, incidentally was adapted from British Standards (BS 7799). More recently, the ISO renamed ISO 17799 to ISO 27002.

I have the subject outline below in mind. On the other hand, the first article will only cover the first topic, Introduction to Information Security (InfoSec). Click here for the first article.


  1. Introduction to Information Security (InfoSec)
  2. Writing Guidelines
  3. Development of the InfoSec Policy
  4. Organizational Standards of InfoSec
  5. Classification of Information
  6. Raising organizational awareness of InfoSec


Sphere: Related Content

Tuesday, May 29, 2007












HOW ERP SOFTWARE DELIVER ITS BENEFITS

Integrated software solutions that span the organization requires business processes to change.

“Integrated” means that the output of one department is the input of another. A good example is the Sales department—the source of many transactions. Whenever a widget (the product) is sold, it triggers a chain of events through a number of outputs.

Inventory will receive an input to locate the widget from among several warehouses and pull it from the one closes to the customer.

Order Entry will receive an input to enter the order into the system after it runs several checks on the new order (e.g., credit check).

Accounts Receivable will receive an input to record a pending sale. The record will contain transaction details such as the identity of the salesperson who brought in the order and the details of the sale itself (e.g., the sales price).

Another term for integrated software is ERP, short for Enterprise Resource Planning. The term is actually a misnomer since the software has nothing to do with planning resources. It does, however, have everything to do with the enterprise—the organization in its entirety. In the late 90s, I worked for the largest healthcare application services provider. Typically, we installed our proprietary software in their environment and processed their transactions at our data center. We provided application services to our client hospitals. Our software was modular and clients could license it on a piecemeal basis. They could license the clinical applications set that, in turn, consisted of separately license-able modules for nursing, radiology, etc. Our entire suite of software applications was an ERP even though my employer did not call it as such.

It should now be clear that integrated software requires business processes to change to derive the software’s maximum benefits.

ERP software does not, in and of itself, provide an organization with a competitive advantage. ERP can initiate the changes—also known as the “re-engineering”—of the business processes to make them more streamlined, efficient and more cost-effective.

Streamlined refers to the decrease in the number of steps—the “touch points” in today’s jargon—that a transaction takes as it winds its way through the system.

Efficient refers to the decrease in mistakes since the software does not miss a step in the transaction’s processing.

And more cost-effective refers to the reduction in the cost to process a transaction—from 20 to 3 cents, for example.

ERP implementation is a costly investment. For a mid-sized business (less than $500 million in revenues), it may even be the most costly expenditure of any kind. In return, ERP promises to create new competitive advantages to the company provided the implementation is done correctly.

It must not only be installed properly, it must be accompanied by the requisite business change in business processes, and, finally, be supported by senior management in order for the investment to deliver its benefits.

This is the promise of ERP fulfilled. The company’s competitive advantages will mainly come from the streamlined, efficient, and cost-effective business processes.




Sphere: Related Content

Saturday, May 26, 2007

Monday, May 14, 2007

PROJECT MANAGEMENT: REALISTICALLY CONSIDER THE BUDGET

Realistically consider the budget!

A project has five major elements:
  1. The budget
  2. The schedule
  3. The people
  4. The resources
  5. The rules

Project management has many aspects but all of them fit under these categories.

Why is budget listed first?

Well, isn’t cost usually the first thing the project sponsor brings up?

In fact, isn’t cost frequently brought up in the same conversation that sparked the project idea?

Doesn't it make sense therefore to immediately consider it?

If the sponsor wants to build a new $1 million data center and is suggesting that it can be done for $600,000, then maybe the project idea should be squelched right there and then.


Let's say that you were able to persuade the sponsor to increase the budget to $1 million. Is everything fine? No. It's easy to overlook a related aspect, namely, the scope. Specifically, you want to ensure that the budget is appropriate for the scope of the project. It is time, therefore, to define the scope.

Doesn't this approach run counter to the "normal" process of defining the scope before estimating the budget? On the other hand, doesn't the example given happen more frequently in real life? Reality often does not follow the textbook model. In this case, it certainly doesn't. The budget often precedes the scope although conventional project management thinking says that it should be the other way around.


Let's say that for any number of reasons, many of which were beyond your control, the new data center was finally finished at a total cost of $1.2 million. Now the question is whether you think the sponsor will consider the project successful?

What do you think?

The sponsor will probably not consider it a successful outcome unless they were forced to approve every change and/or activity that increased the total bill by another $200,000. An over-budget situation can be avoided by two things: first, ensure that the budget is appropriate for the project scope, and second, implement a strong change control process over the project cycle.

Where does the project scope fit in? As its own entity, it doesn’t. However, the components that comprise the project scope do. These components are the budget, the schedule, and the resources (including the people). As you can see, the project scope will fit once it is decomposed into its four elements.

It’s human nature to try to get more for you money. It’s suicide to accept a project that has an unrealistically low budget relative to its goal. Let’s keep that in mind.
Sphere: Related Content

Thursday, May 10, 2007

PRODUCTIVITY IS THE KEY TO A HEALTHY ECONOMY

Did accelerated IT investments create the US labor productivity boom of the late 1990s? Or can it be attributed to some other factors?

New research from the McKinsey Global Institute shows that IT was only one of several factors responsible for the productivity surge in the 90s.

In a handful of competitive industries, the most important cause was managerial innovation, that was sometimes (but not always) aided by technology. Many of the innovations underlying the acceleration will continue to generate productivity growth above the long-term trend for the next several years.


In general, three factors: (1) managerial innovation, (2) increased competition (sometimes sparked by regulatory change), and (3) cyclical demand factors were the primary drivers of the boom in US labor productivity in the 90s.

IT always played a supporting role during this period. IT was not one of the primary factors.




Sphere: Related Content

Monday, May 7, 2007

AN OVERVIEW OF HIPAA

The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is one piece of legislation that our government did right. This explains its background, objective, and key points.


Brief history

The Health Insurance Portability & Accountability Act (HIPAA) became Public Law 104-191 in August 1996. It became the law despite numerous unsuccessful challenges by special interests (e.g., insurance providers, physician groups). Congress and the Department of Health & Human Services (DHHS) overcame the attempts of the special interests. They had the clout to do so since at least 60% of all healthcare claims are paid by the federal and state governments.

HIPAA’s necessity arose from the entangled economics of the healthcare industry. During the 1980s two significant changes restructured the healthcare model. The first was the job tenure. Employees and employers changed attitudes towards the notion of job tenure. Consequently, there was more job hopping. In many cases, a new job with a new employer reduced or even eliminated the employee’s health benefits. The second was the unexpected increase in the cost of delivering and administering healthcare. Doctors and hospitals discovered how to work the system of Medicare and Medicaid. While it is true that the funding created new technologies (many of which extended life spans), a good portion of the money that these special interests received went to their pockets. The mission of hospitals changed. Instead of concentrating on delivering health care to its patients, hospitals started consolidating in order to better compete for business.

In the early 1990s, the healthcare industry adopted standards for Electronic Data Interchange (EDI). Instead of paper, information was passed electronically. It was (and still is) an effective way of cutting costs and speeding up the claim processing cycle. Unfortunately, it did so at the expense of the security of patient information.

One of the election issues that the Clinton administration promised to resolve was the healthcare mess. It prompted Congress to explore ways and means to make healthcare portable—this was meant to mitigate the problem of job hopping. Since it was addressing that, Congress tackled the related issues of fraud and abuse of the funding spout of Medicare and Medicaid & the protection of sensitive patient information as health records were passed from one entity to another. The result was HIPAA.

HIPAA’s objective

The law’s objective is to improve the efficiency and effectiveness of the U.S. healthcare system. This objective requires the implementation of certain safeguards when reviewing, process, or storing patient and healthcare payment information.

It gives patients new rights of privacy. It limits access to and use of protected healthcare information to those who actually provide the healthcare.
HIPAA focuses on three major areas:
  1. Transactions
  2. Privacy
  3. Security.
Key Features
  • Patients can access their own protected healthcare information (PHI)
  • Covered entities (e.g., insurance companies, physicians) are restricted in their use of PHI. (Prior to HIPAA, as many as 150 persons had access to a patient’s PHI during a typical hospital stay!)
  • EDI transactions follow HIPAA-mandated standards. (Prior to HIPAA, proprietary formats abounded. Clearing houses had to reformat incoming and outgoing data.)
  • Access and security is protected by law. Stiff penalties, fines, and even imprisonment add bite to the teeth of the law.
  • HIPAA applies to all government agencies and supersedes all state laws (especially the less stringent ones).
Transactions, the first major area

Three key changes were made to electronic transactions:
  • Only EDI and direct data entry (DDE) are the authorized methods for processing electronic healthcare transactions.
  • Only nine EDI formats are allowed.
  • Only three code sets are allowed. Code sets are discussed in another blog entry. Click here.
How successful were these changes?
  • Prior to HIPAA, the average claim cycle was 75 days. One out of three claims was rejected due to administrative errors. Today, the claim cycle averages less than 24 hours and only one to three percent are rejected because of administrative errors.
  • Prior to HIPAA, it cost 29 cents (in 2003 dollars) to process every claim dollar. Today, it costs 4 cents.
A new industry has emerged to assist covered entities with these requirements. Click here for an example.

Privacy, the second major area

This has the most significant impact on the healthcare industry. It’s actually easier to protect PHI than it is to secure its privacy (e.g., a PHI can be copied and the fact that it was copied may go undetected). Implementation of the privacy rules must not interfere with the access or quality of healthcare.
  1. Privacy rules apply to all forms of PHI, be it written, electronic, oral, etc.
  2. Patients have more control since there are now boundaries and safeguards that protect their PHI for all treatment, payment, operations (TPO) transactions.
  3. Patients must give written consent to a healthcare provider to access and use the patient’s PHI. Consent is general in nature and covers the entire relationship between the patient and provider. Note that written consent is typically a condition of service. Providers will generally refuse to deliver services without this written consent. Rule exceptions are limited to emergencies, over-the-phone prescriptions and appointments, and a few others.
  4. Patient authorizations are required for every instance that their PHI is disclosed out of the normal TPO circle (e.g., submission of PHI data for medical research). Providers carry the burden of recording and tracking patient consent, authorizations, and revocations.
  5. PHI may be shared with business associates (e.g., administrative services, laboratories) only to assist in the administrative function of TPO. The covered entities are still responsible and liable for the privacy and security of PHI. Their business associates are not liable nor do they have to meet the requirements of the covered entities.
  6. Covered entities must make reasonable efforts to limit the disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.
  7. Covered entities must: (a) notify their patients of their privacy rights, (b) write their own policies and procedures and define their own minimum necessary standards for disclosure, (c) designate a privacy official whose primary responsibility is the protection and privacy of all healthcare information, and (d) provide a secure environment for PHI. A secure environment makes PHI available only to authorized parties on a need-to-know basis. All employees who may come into contact with any PHI must be trained on privacy rules and procedures.
PHI used for marketing and research are governed by their respective sets of rules. Marketing example: the names of pregnant women cannot be given to diaper market researchers without their permission. Research example: absent the patient’s authorization, PHI may be shared provided all identifying information is removed. Incidentally, the marketing rules apply to business associates.

Privacy rules apply only to covered entities. These entities constitute 98% of the healthcare industry. It applies to all health plans, clearinghouses and healthcare providers such as hospitals, doctors, nurses, and EMTs. The only entities exempt from these rules are those that continue to use paper.

Security, the third major area

Security compliance became effective in April 2005. The rules have a “performance” nature instead of a “prescriptive” one. The former outlines the standards that must be met whereas the latter dictates the means to achieve the standards. This means that covered entities are free to use their own methods to meet the performance standards.

There are nuances that make life easier for covered entities. These entities have the prerogative of deciding the most cost-effective manner of implementing the appropriate level of security for their environment. As long as these procedures and the framework are well documented, the entities are not required to implement practices that unreasonable, impractical, or not cost-effective (i.e., where the cost exceeds the value of the risk). In sum, organizations have the freedom to interpret (but it better be reasonable!) the security standards and develop their own practices.

The security provision does not require the adoption of new practices. The covered entity’s present ones may be sufficient. However, HIPAA since expanded the scope of security to encompass the covered entity’s business partners, it just about made it necessary to add and develop new practices.

HIPAA’s security rules revolve around the industry’s best practices anyway. It is really in the covered entity’s best interests to adopt these best practices. The entities achieve both objectives—meet HIPAA’s security requirements and adopt best practices—at the same time.

Security is well-covered in numerous articles. For that reason, we shall just enumerate the main areas:
  1. Access control, which means authentication, authorization, and auditing
  2. Administrative policies and practice
  3. Chain of Trust agreements; this is the primary tool that expands the scope of privacy and security requirements to the business partners of the covered entities
  4. Data protection
  5. Digital signatures
  6. Disaster recovery
  7. Encryption
  8. Identification
  9. Physical security
  10. Processor/Server protection
  11. Remote access and VPNs
  12. Software certification
  13. System protection and certification.
End Notes
Concluding remarks

I adapted this from a white paper I wrote for a previous employer in 2000—shortly after Y2K. The healthcare industry was bracing for the next “big” event, namely HIPAA.

I welcome any comments, updates, and/or corrections.


Sphere: Related Content

Wednesday, May 2, 2007

THE 12 QUALITIES OF HAPPINESS

At the turn of the century, in my early 40s, I pondered what I really wanted out of my brief life in this world.

I concluded that it was to find happiness and to stay in that zone of happiness as much as possible. But what is happiness? Being happy can be a relative and transient feeling. It's a difficult question I think.

Ponder, for example, whether joy is happiness.

Research has shown a strong correlation between happiness and maturity. Older people tend to be more satisfied with their lot.

Regardless, the nature of happiness is an ancient question with many philosophical branches. Much as I enjoy that exercise, I wanted a more practical definition. I built the following list based upon the research of multitudes who preceded me. Are there other qualities that I am missing?


1. Love, or a feeling of being wanted or needed
2. Optimism, or the feeling of being positive
3. Courage, or the lack of fear (not to be equated with bravery)
4. A sense of freedom
5. Proactivity, or a sense of control
6. Security, or a feeling of "safe-ness"
7. Health, since health is wealth, especially in our older years
8. Spirituality, as one realizes his mortality
9. Altruism, or a willingness to share
10. Perspective, or wisdom and tolerance
11. Humor, because there are so many things to laugh about
12. Purpose, because without it, we just exist and not live

One other aspect of happiness, for me personally, is to leave a worthwhile legacy. It's not a quality which explains why it did not make the list. A legacy, however, is really the only thing we can leave behind. I had an aunt, for example, who left several legacies. One of them is a scholarship fund that pays for the education of the most deserving student from her hometown.

I would like to also mention the concept of "flow." I read this book entitled Flow: The Psychology of Optimal Experience. The two editorial reviews in amazon.com said this about the book:
You have heard about how a musician loses herself in her music, how a painter becomes one with the process of painting. In work, sport, conversation or hobby, you have experienced, yourself, the suspension of time, the freedom of complete absorption in activity. This is "flow," an experience that is at once demanding and rewarding—an experience that the author demonstrates is one of the most enjoyable and valuable experiences a person can have. The exhaustive case studies, controlled experiments and innumerable references to historical figures, philosophers and scientists through the ages prove the author's point that flow is a singularly productive and desirable state. But the implications for its application to society are what make the book revolutionary.

Aristotle observed 2,300 years ago that more than anything, men and women seek happiness. The author, a former Psychology professor at the University of Chicago, had for 25 years made similar observations regarding "flow," a field of behavioral science examining connections between satisfaction and daily activities. A state of flow ensues when one is engaged in self-controlled, goal-related, meaningful actions. Data regarding flow were collected on thousands of individuals, from mountain climbers to chess players. This thoroughly researched study is an intriguing look at the age-old problem of the pursuit of happiness and how, through conscious effort, we may more easily attain it.
The book is ponderous reading that reflects the academic background of its author. "Flow" is the equivalent in the common vernacular of being in the "zone." I suppose it is possible to live a life that lies mostly in the "zone" but that is probably possible only under special circumstances or with a special group of people (like Buddhist monks, for instance).

Is being in the "zone" happiness? No, I don't think so. It's too transient. Being in the zone does transport us into another reality. We don't feel hunger. We don't think of time. We're totally immersed in our activity. There is no doubt that being in the zone is a satisfying experience.

However, I think of happiness as a more lasting condition. And that list of qualities contains most of the attributes of that more lasting state called happiness.




Sphere: Related Content